Part 3: PostfixAdmin – Create Virtual Mailboxes on Rocky Linux 9/Alma Linux 9 Mail Server

In previous articles, we discussed how to set up your own mail server on Rocky Linux 9/Alma Linux 9 from scratch. In part 1 and part 2 of this tutorial series, we learned how to set up Postfix SMTP server and Dovecot IMAP server, but so far we can only have email addresses for users with local Unix account. This tutorial is going to show you how to create virtual mailboxes on Rocky Linux 9/Alma Linux 9 mail server with PostfixAdmin, which is an open-source web-based interface to configure and manage a Postfix-based email server for many domains and users.

With virtual mailboxes, we don’t need to create local Unix account for each email address. If you are going to set up a mail server for a company or organization, it’s always better to have an easy way to create virtual mailboxes in a web-based interface, which also allows users to change their passwords. That’s where PostfixAdmin comes in.

PostfixAdmin Features

• manage mailboxes, virtual domains and aliases
• vacation/out-of-office messages (Personally I think this feature is better done in Roundcube Webmail.)
• alias domains (forwarding one domain to another with recipient validation)
• users can manage their own mailbox (change alias, password and vacation message)
• quota support for single mailboxes and total quota of a domain
• fetchmail integration: You can fetch emails from your original email address to your new email address.
• command line client postfixadmin-cli for those who don’t want to click around in a web interface 😉

Note: Once you finish part 3, you can no longer use local Unix accounts as email addresses. You must create email addresses from the PostfixAdmin web interface.

Prerequisites

I assume that you have followed part 1 and part 2 of this tutorial series. If you followed mail server tutorials on other websites, I recommend purging your configurations and start over with my tutorial series, so you are not going to be confused by different setup processes.

Once the above requirements are met, let’s install and configure PostfixAdmin.

Step 1: Install MariaDB Database Server on Rocky Linux 9/Alma Linux 9

PostfixAdmin is written in PHP and requires a database (MySQL/MariaDB, PostgreSQL or SQLite). This article will use MariaDB, which is a drop-in replacement for MySQL. Enter the following command to install MariaDB on Rocky Linux 9/Alma Linux 9.

sudo dnf install mariadb-server mariadb -y

After it’s installed, we need to start it.

sudo systemctl start mariadb

Enable auto start at system boot time.

sudo systemctl enable mariadb

Check status:

systemctl status mariadb

output:

● mariadb.service - MariaDB 10.5 database server
     Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-08-29 09:41:46 UTC; 8s ago
       Docs: man:mariadbd(8)
             https://mariadb.com/kb/en/library/systemd/
   Main PID: 51166 (mariadbd)
     Status: "Taking your SQL requests now..."
      Tasks: 21 (limit: 100496)
     Memory: 77.5M
        CPU: 1.304s
     CGroup: /system.slice/mariadb.service
             └─51166 /usr/libexec/mariadbd --basedir=/usr

“Enabled” indicates that auto start at boot time is enabled and we can see that MariaDB server is running. Now we need to run the security script.

sudo mysql_secure_installation

When it asks you to enter MariaDB root password, press Enter key as the root password isn’t set yet. Then enter y to set the root password for MariaDB server.

Next, you can press Enter to answer all remaining questions, which will remove anonymous user, disable remote root login and remove test database. This step is a basic requirement for MariaDB database security. (Note that the letter Y is capitalized, which means it’s the default answer.)

Step 2: Download PostfixAdmin on Rocky Linux 9/Alma Linux 9 Server

Go to PostfixAdmin Gitbub page to download the latest version. You can use the wget tool to download it from the command line. The download link is always available in the format below. If a new version comes out, simply replace 3.3.11 with the new version number.

sudo dnf install wget -y

wget https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.3.11.tar.gz

Once downloaded, extract the archive.

If you are using Apache, then extract it to /var/www/ directory and rename it to postfixadmin.

sudo dnf install tar -y7
sudo tar xvf postfixadmin-3.3.11.tar.gz -C /var/www/
sudo mv /var/www/postfixadmin-postfixadmin-3.3.11 /var/www/postfixadmin

If you are using Nginx, extract it to /usr/share/nginx/ directory and rename it to postfixadmin.

sudo dnf install tar -y
sudo tar xvf postfixadmin-3.3.11.tar.gz -C /usr/share/nginx/
sudo mv /usr/share/nginx/postfixadmin-postfixadmin-3.3.11 /usr/share/nginx/postfixadmin

Step 3: Install Required and Recommended PHP Modules

PostfixAdmin requires the php-imap module to create subfolders in mailboxes, but php-imap isn’t included in the default Rocky Linux 9/Alma Linux 9 repository, so we need to use the Remi repo to install this PHP module.

Install the Remi Repo.

sudo dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm

Then reset PHP module streams.

sudo dnf module reset php

Enable the php:remi-8.0 module stream.

sudo dnf module enable php:remi-8.0 -y

Then you can run the following command to install PHP modules required or recommended by PostfixAdmin.

sudo dnf install -y php-fpm php-imap php-mbstring php-mysqlnd php-gd php-opcache php-json php-curl php-zip php-xml php-bz2 php-intl php-gmp

We need to run the following command to tell SELinux to allow Apache to execute PHP code via PHP-FPM.

sudo setsebool -P httpd_execmem 1

If you use Nginx, edit the PHP-FPM config file:

nano /etc/php-fpm.d/www.conf

By default, PHP-FPM runs as the apache user. Since you are using Nginx web server, we need to change it. Find the following two lines.

user = apache
group = apache

Change them to

user = nginx
group = nginx

Save and close the file. Then start PHP-FPM.

sudo systemctl start php-fpm

Enable auto start at system boot time.

sudo systemctl enable php-fpm

Restart Apache or Nginx.

sudo systemctl restart httpd

sudo systemctl restart nginx

Step 4: Setting Up Permissions

PostfixAdmin requires a templates_c directory, and the web server needs read and write access to this directory. We also need to change the SELinux context to make it writable. So run the following commands.

Apache

sudo mkdir /var/www/postfixadmin/templates_c
sudo setfacl -R -m u:apache:rwx /var/www/postfixadmin/templates_c/
sudo chcon -t httpd_sys_rw_content_t /var/www/postfixadmin/templates_c/ -R

Nginx

sudo mkdir /usr/share/nginx/postfixadmin/templates_c
sudo setfacl -R -m u:nginx:rwx /usr/share/nginx/postfixadmin/templates_c/
sudo chcon -t httpd_sys_rw_content_t /usr/share/nginx/postfixadmin/templates_c/ -R

By default, SELinux forbids Apache/Nginx to make network requests to other servers, but later Apache/Nginx needs to request TLS certificate status from Let’s Encrypt CA server for OCSP stapling, so we need to tell SELinux to allow Apache/Nginx with the following command.

sudo setsebool -P httpd_can_network_connect 1

If you use Nginx, then you also need to run the following command to give the nginx user read and write permissions to 3 directories.

sudo setfacl -R -m u:nginx:rwx /var/lib/php/opcache/ /var/lib/php/session/ /var/lib/php/wsdlcache/

Restart Apache/Nginx.

sudo systemctl restart httpd

sudo systemctl restart nginx

Starting with Dovecot 2.3.11, the web server user needs permission to read Let’s Encrypt TLS certificate in order to do password hashing. Run the following two commands to grant permissions.

Apache

sudo setfacl -R -m u:apache:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Nginx

sudo setfacl -R -m u:nginx:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Step 5: Create a Database and User for PostfixAdmin

Log into MySQL/MariaDB shell as root with the following command.

mysql -u root

Once you are logged in, create a database for PostfixAdmin using the following command. I named it postfixadmin, but you can use whatever name you like. (Don’t leave out the semicolon.)

create database postfixadmin;

Then enter the command below to create a database user for PostfixAdmin. This command also grant all privileges of postfixadmin database to the user. Replace postfixadmin_password with your preferred password. Note that the password should not contain the # character, or you might not be able to log in later.

grant all privileges on postfixadmin.* to 'postfixadmin'@'localhost' identified by 'postfixadmin_password';

Flush the privileges table for the changes to take effect and then get out of MariaDB shell.

flush privileges;

exit;

Step 6: Configure PostfixAdmin

The default PostfixAdmin configuration file is config.inc.php. We need to create a config.local.php file and add custom configurations.

Apache

sudo nano /var/www/postfixadmin/config.local.php

Nginx

sudo nano /usr/share/nginx/postfixadmin/config.local.php

Add the following lines in the file, so PostfixAdmin can connect to MySQL/MariaDB database. Replace postfixadmin_password with the real PostfixAdmin password created in step 4.

<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_port'] = '3306';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'postfixadmin_password';
$CONF['database_name'] = 'postfixadmin';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw -r 12";

Save and close the file. Note that we will use the BLF-CRYPT password scheme.

Step 7: Create Apache Virtual Host or Nginx Config File for PostfixAdmin

Apache

If you use Apache web server, create a virtual host for PostfixAdmin.

sudo nano /etc/httpd/conf.d/postfixadmin.conf

Put the following text into the file. Replace postfixadmin.example.com with your real domain name and don’t forget to set DNS A record for it.

<VirtualHost *:80>
  ServerName postfixadmin.example.com
  DocumentRoot /var/www/postfixadmin/public/

  ErrorLog /var/log/httpd/postfixadmin_error.log
  CustomLog /var/log/httpd/postfixadmin_access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  <Directory /var/www/postfixadmin/public/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

</VirtualHost>

Save and close the file. Reload Apache for the changes to take effect.

sudo systemctl reload httpd

Now you should be able to see the PostfixAdmin web-based install wizard at http://postfixadmin.example.com/setup.php.

Nginx

If you use Nginx web server, create a virtual host for PostfixAdmin.

sudo nano /etc/nginx/conf.d/postfixadmin.conf

Put the following text into the file. Replace postfixadmin.example.com with your real domain name and don’t forget to set DNS A record for it.

server {
   listen 80;
   listen [::]:80;
   server_name postfixadmin.example.com;

   root /usr/share/nginx/postfixadmin/public/;
   index index.php index.html;

   access_log /var/log/nginx/postfixadmin_access.log;
   error_log /var/log/nginx/postfixadmin_error.log;

   location / {
       try_files $uri $uri/ /index.php;
   }

   location ~ ^/(.+\.php)$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/php-fpm/www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
   }
}

Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Now you should be able to see the PostfixAdmin web-based install wizard at http://postfixadmin.example.com/setup.php.

Step 8: Enabling HTTPS

To encrypt the HTTP traffic, we can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt.

If you use Apache, run this command to obtain and install TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d postfixadmin.example.com

If you use Nginx, run the following command to obtain and install TLS certificate.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d postfixadmin.example.com

Where:

• --apache: Use the Apache plugin.
• --nginx: Use the nginx plugin.
• --agree-tos: Agree to terms of service.
• --redirect: Force HTTPS by 301 redirect.
• --hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
• --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.
• --email: Email used for registration and recovery contact.
• -d flag is followed by a list of domain names, separated by comma. You can add up to 100 domain names.

The certificate should now be obtained and automatically installed, which is indicated by the messages below.

Step 9: Enable Statistics in Dovecot

PostfixAdmin needs to read Dovecot statistics. Edit the Dovecot configuration file.

sudo nano /etc/dovecot/conf.d/10-master.conf

Add the following lines to the end of this file. If you use Nginx, change apache to nginx.

service stats {
    unix_listener stats-reader {
    user = apache
    group = apache
    mode = 0660
}

unix_listener stats-writer {
    user = apache
    group = apache
    mode = 0660
  }
}

Save and close the file. Then add the web server to the dovecot group.

Apache

sudo gpasswd -a apache dovecot

NGinx

sudo gpasswd -a nginx dovecot

Restart Dovecot.

sudo systemctl restart dovecot

Step 10: Finish the Installation in Web Browser

Go to postfixadmin.example.com/setup.php to run the web-based setup wizard. First, you need to create a setup password for PostfixAdmin.

After creating the password hash, PostfixAdmin will display a line like below.

$CONF['setup_password'] = 'db1b019982a6ba878bdc6bd923bef03e:4e29fdd341b570364064a5ad69652f3d8bee0bb4';

You need to open the config.local.php file.

Apache

sudo nano /var/www/postfixadmin/config.local.php

Nginx

sudo nano /usr/share/nginx/postfixadmin/config.local.php

Add the line display on PostfixAdmin setup page to the end of the file like below.

After saving the file, you need to refresh the PostfixAdmin setup page and enter the setup password again, then create the admin account. Please don’t use a Gmail, Yahoo Mail, or Microsoft email address for the admin account, or you might not be able to log in later. Use an email address on your own domain. You can create the email address later in PostfixAdmin.

Once the superadmin account is created, you can log into PostfixAdmin at postfixadmin.example.com/login.php.

If you see the following error when trying to create a superadmin account,

can’t encrypt password with dovecotpw, see error log for details

It’s because the web server user doesn’t have permission to read Let’s Encrypt TLS certificate. To fix it, run the following two commands to grant permissions.

Apache

sudo setfacl -R -m u:apache:rx /etc/letsencrypt/live/
sudo setfacl -R -m u:apache:rx /etc/letsencrypt/archive/

Nginx

sudo setfacl -R -m u:nginx:rx /etc/letsencrypt/live/
sudo setfacl -R -m u:nginx:rx /etc/letsencrypt/archive/

If you see the following error,

Invalid query: Specified key was too long; max key length is 1000 bytes

Then you need to log in to MySQL/MariaDB database server as root from command line,

mysql -u root -p

and change the default collation from utf8mb4_general_ci to utf8_general_ci.

MariaDB [(none)]> alter database postfixadmin collate ='utf8_general_ci';

Exit MySQL/MariaDB console and reload the setup.php page.

Step 11: Configure SELinux

During installation, PostfixAdmin needs to read the Dovecot configuration files in order to create password. By default, SELinux doesn’t allow the web server to read Dovecot configuration files. You can solve the problem with the following instruction.

Install required packages.

sudo dnf install -y binutils rpm-build setools-console policycoreutils-python3 policycoreutils-devel

If PostfixAdmin can’t create password, or you can’t log into PostfixAdmin, which tells you that “Your email address or password is incorrect”, you can check if it’s SELinux forbids this actions with the following command.

sudo ausearch -m AVC -ts recent

This above command will show you SELinux events in the past 10 minutes.

• ausearch is a tool to query audit daemon (auditd.service) logs.
• -m AVC: queary AVC message type. AVC stands for Access Vector Cache .
• -ts recent: Set the timestamp to the past 10 minutes.

Sample command output:

type=AVC msg=audit(1662279808.864:90942): avc: denied { connectto } for pid=46820 comm="doveadm" path="/run/dovecot/stats-writer" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket permissive=0

You can generate a loadable SELinux module package with:

sudo ausearch -m AVC -ts recent | audit2allow -M nginx_dovecot

In the above example, I named this package nginx_dovecot, because SELinux forbid Nginx to read Dovecot config file. Then install this module package.

sudo semodule -i nginx_doveconf.pp

Sometimes, the generated module package can’t fix all the issues. You can run the following command to see why.

sudo ausearch -m AVC -ts recent | audit2allow -w

Sample output:

type=AVC msg=audit(1662279808.864:90942): avc:  denied  { connectto } for  pid=46820 comm="doveadm" path="/run/dovecot/stats-writer" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket permissive=0

	Was caused by:
	The boolean daemons_enable_cluster_mode was set incorrectly. 
	Description:
	Enable cluster mode for daemons.

	Allow access by executing:
	# setsebool -P daemons_enable_cluster_mode 1

As you can see, it shows me why the access was denied and give me a solution:

sudo setsebool -P daemons_enable_cluster_mode 1

Once that’s done, my PostfixAdmin works perfectly.

Step 12: Configure Postfix to Use MySQL/MariaDB Database

By default, Postfix delivers emails only to users with a local Unix account. To make it deliver emails to virtual users whose information is stored in the database, we need to configure Postfix to use virtual mailbox domains.

First, we need to add MySQL map support for Postfix by installing the postfix-mysql package.

sudo dnf install -y postfix-mysql

Then edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following lines at the end of this file. (In Nano text editor, you can press Ctrl+W, then Ctrl+V to jump to the end of a file.)

virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_alias_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

Where:

• virtual_mailbox_domains points to a file that will tell Postfix how to look up domain information from the database.
• virtual_mailbox_maps points to files that will tell Postfix how to look up email addresses from the database.
• virtual_alias_maps points to files that will tell Postfix how to look up aliases from the database.

We want to use dovecot to deliver incoming emails to the virtual users’ message store, so also add the following line at the end of this file.

virtual_transport = lmtp:unix:private/dovecot-lmtp

Save and close the file. Next, we need to create the .cf files one by one. Create the sql directory.

sudo mkdir /etc/postfix/sql/

Create the mysql_virtual_domains_maps.cf file.

sudo nano /etc/postfix/sql/mysql_virtual_domains_maps.cf

Add the following content. Replace postfixadmin_password with the postfixadmin password you set in Step 4.

user = postfixadmin
password = postfixadmin_password
hosts = localhost
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
#query = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
#expansion_limit = 100

Create the mysql_virtual_mailbox_maps.cf file.

sudo nano /etc/postfix/sql/mysql_virtual_mailbox_maps.cf

Add the following content.

user = postfixadmin
password = postfixadmin_password
hosts = localhost
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
#expansion_limit = 100

Create the mysql_virtual_alias_domain_mailbox_maps.cf file.

sudo nano /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

Add the following content.

user = postfixadmin
password = postfixadmin_password
hosts = localhost
dbname = postfixadmin
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'

Create the mysql_virtual_alias_maps.cf file.

sudo nano /etc/postfix/sql/mysql_virtual_alias_maps.cf

Add the following content.

user = postfixadmin
password = postfixadmin_password
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
#expansion_limit = 100

Create the mysql_virtual_alias_domain_maps.cf file.

sudo nano /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf

Add the following content.

user = postfixadmin
password = postfixadmin_password
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

Create the mysql_virtual_alias_domain_catchall_maps file.

sudo nano /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

Add the following content.

# handles catch-all settings of target-domain
user = postfixadmin
password = postfixadmin_password
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

Since the database passwords are stored in plain text so they should be readable only by user postfix and root, which is done by executing the following two commands.

sudo chmod 0640 /etc/postfix/sql/*
sudo setfacl -R -m u:postfix:rx /etc/postfix/sql/

Next, we need to change the value of the mydestination parameter in Postfix. Display the current value:

postconf mydestination

Sample output:

mydestination = linuxbabe.com, $myhostname, localhost.$mydomain, localhost

The mydestination parameter contains a list of domain names that will receive emails delivered to local Unix accounts. In part 1, we added the apex domain name (like linuxbabe.com) to mydestination. Since we are going to use virtual mailbox, we need to remove the apex domain name from the list by issuing the following command.

sudo postconf -e "mydestination = \$myhostname, localhost.\$mydomain, localhost"

Now let’s open the Postfix main configuration file again.

sudo nano /etc/postfix/main.cf

Add the following lines at the end of this file.

virtual_mailbox_base = /var/vmail
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000

The first line defines the base location of mail files. The remaining 3 lines define which user ID and group ID Postfix will use when delivering incoming emails to the mailbox. We use the user ID 2000 and group ID 2000.

Save and close the file. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Next, we need to create a user named vmail with ID 2000 and a group with ID 2000.

sudo adduser vmail --system --uid 2000 --user-group --no-create-home

Create the mail base location.

sudo mkdir /var/vmail/

Make vmail as the owner.

sudo chown vmail:vmail /var/vmail/ -R

We also need to change the SELinux context to make it writable.

sudo chcon -t mail_spool_t /var/vmail/ -R

Step 13: Configure Dovecot to Use MySQL/MariaDB Database

We also need to configure the Dovecot IMAP server to query user information from the database. First, run the following command to add MySQL support for Dovecot.

sudo dnf install -y dovecot-mysql

Then edit the 10-mail.conf file.

sudo nano /etc/dovecot/conf.d/10-mail.conf

In part 2, we used the following mail_location. Email messages are stored under the Maildir directory under each user’s home directory.

mail_location = maildir:~/Maildir

Since we are using virtual mailbox domain now, we need to enable mail_home for the virtual users by adding the following line in the file, because virtual users don’t have home directories by default.

mail_home = /var/vmail/%d/%n

Save and close the file. Then edit the 10-auth.conf file.

sudo nano /etc/dovecot/conf.d/10-auth.conf

In part 2, we used the following value for auth_username_format.

auth_username_format = %n

The %n would drop away the domain if it was given. Because in part 2 we were using local Unix account for the username of every email address, we must use %n to drop away the domain, so users were able to login with the full email address.

Now we are using virtual mailbox domains, which means the username of every email address includes the domain part, so we need to change the auth_username_format as follows. %u won’t drop away the domain. This allows users to login with the full email address.

auth_username_format = %u

Uncomment the following line at the end of the file, so Dovecot can query user information from the database.

!include auth-sql.conf.ext

Now you probably don’t want local Unix users to send emails without registering email addresses in PostfixAdmin, then comment out the following line by adding the # character at the beginning, so Dovecot won’t query the local /etc/passwd or /etc/shadow file.

#!include auth-system.conf.ext

It can be helpful to add the following two lines in this file to debug login issues. The login errors would be logged into /var/log/maillog file. (Once users can login without problems, you can comment out the following two lines.)

auth_debug = yes
auth_debug_passwords = yes

Save and close the file.

Create the dovecot-sql.conf.ext file.

sudo nano /etc/dovecot/dovecot-sql.conf.ext

Here is the content that you should have. Replace postfixadmin_password with the postfixadmin password you set in Step 4.

driver = mysql

connect = host=localhost dbname=postfixadmin user=postfixadmin password=postfixadmin_password

default_pass_scheme = BLF-CRYPT

password_query = SELECT username AS user,password FROM mailbox WHERE username = '%u' AND active='1'

user_query = SELECT maildir, 2000 AS uid, 2000 AS gid FROM mailbox WHERE username = '%u' AND active='1'

iterate_query = SELECT username AS user FROM mailbox

Save and close the file. And restart Dovecot.

sudo systemctl restart dovecot

When a user tries to log in, Dovecot would generate an BLF-CRYPT hash from the password entered by the user, then compare it with the password hash stored in the database.

Step 14: Add Domain and Mailboxes in PostfixAdmin

Log in to PostfixAdmin web interface as the admin. Click the Domain List tab and select New Domain to add a domain. You can choose how many aliases and mailboxes are allowed for this domain.

Then click Virtual List tab and select Add Mailbox to add a new email address for your domain.

Now fire up your desktop email client such as Mozilla Thunderbird and add a mail account. If Thunderbird found your mail server configuration like below, simply click Done button and you will be able to read and send emails.

If Thunderbird didn’t found your mail server configuration, then click Manual config button to enter your mail server details.

• In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
• In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

Hint: You can also use port 993 with SSL/TLS encryption for IMAP, and use port 465 with SSL/TLS encryption for SMTP. You should not use port 25 as the SMTP port in mail clients to submit outgoing emails.

You should now be able to connect to your own email server and also send and receive emails with your desktop email client!

Troubleshooting Tips

As a rule of thumb, you should always check the mail log (/var/log/maillog) on your mail server when an error happens. The following is a list of specific errors and troubleshooting tips.

Can’t login from Mail Clients

If you can’t log into your mail server from a desktop mail client, scan your mail server to find if the ports are open. Note that you should run the following command from another Linux computer or server. If you run it on your mail server, then the ports will always appear to be open.

sudo nmap mail.your-domain.com

And check if Dovecot is running.

systemctl status dovecot

You can also check the mail log (/var/log/maillog), which may give you some clues. If Dovecot fails to start, the error might not be logged to the /var/log/maillog file, you can run the following command to see what’s wrong.

sudo journalctl -eu dovecot

If you see the following error in the mail log, it’s likely that you didn’t set a correct password in the .cf files under /etc/postfix/sql/ directory.

postfix/trivial-rewrite[28494]: warning: virtual_alias_domains: proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf: table lookup problem
postfix/trivial-rewrite[28494]: warning: virtual_alias_domains lookup failure

If you see the following error in the mail log, it’s because you forgot to add mail_location = maildir:~/Maildir in the /etc/dovecot/conf.d/10-mail.conf file.

open(/var/mail/[email protected]) failed: Permission denied (euid=2000(vmail) egid=2000(vmail) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775

Cloudflare DNS

As I said in part 1, if you use Cloudflare DNS service, you should not enable the CDN (proxy) feature when creating DNS A record and AAAA record for the hostname of your mail server. Cloudflare doesn’t support SMTP or IMAP proxy.

Relay Access Denied

If you see the “relay access denied” error when trying to send emails from a mail client, it’s most likely that you use port 25 as the SMTP port in your mail client. As I said a while ago, you should use port 587 or 465 as the SMTP port in mail clients (Mozilla Thunberbird, Microsoft Outlook, etc) to submit outgoing emails. Port 25 should be used for SMTP server to SMTP server communications.

iOS Mail App

If you use the iOS Mail app to log into your mail server and encounter the following error.

You can try to fix it by enforcing SSL encryption, for both SMTP and IMAP.

Fun fact: It seems the iOS Mail app has difficulty in supporting STARTTLS on IMAP port 143, but it supports STARTTLS on the submission port 587.

Temporary Lookup Failure

If your mail server was working fine for some time, but suddenly you find the following error in the mail log,

Aug 25 20:25:24 mx postfix/trivial-rewrite[3313]: warning: virtual_alias_domains: proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf: table lookup problem
Aug 25 20:25:24 mx postfix/trivial-rewrite[3313]: warning: virtual_alias_domains lookup failure
Aug 25 20:25:24 mx postfix/submission/smtpd[3464]: NOQUEUE: reject: 451 4.3.0 <[email protected]>: Temporary lookup failure;  proto=ESMTP
Aug 25 20:25:24 mx postfix/submission/smtpd[3464]: Temporary lookup failure

It’s likely that your MariaDB/MySQL database stopped somehow. You can use the following command to check when your database server stopped.

sudo journalctl -eu mariadb

or

sudo journalctl -eu mysql

A common cause for this situation is that your server is out-of-memory. Check if your server has enough memory.

htop

or

free -m

Change User Password in PostfixAdmin

Users can log into PostfixAdmin at https://postfixadmin.example.com/users/login.php, then change their passwords.

Automatically Clean the Junk Folder and Trash Folder

To delete emails in Junk folder for all users, you can run

sudo doveadm expunge -u *@example.com mailbox Junk all

To delete emails in Trash folder for all users, run

sudo doveadm expunge -u *@example.com mailbox Trash all

I think it’s better to clean emails that have been in the Junk or Trash folder for more than 2 weeks, instead of cleaning all emails.

sudo doveadm expunge -u *@example.com mailbox Junk savedbefore 2w

Then add a cron job to automate the job.

sudo crontab -e

Add the following line to clean Junk and Trash folder every day

@daily doveadm expunge -u *@example.com mailbox Junk savedbefore 2w;doveadm expunge -u *@example.com mailbox Trash savedbefore 2w

Restricting Access to Sendmail

By default, any local user can use the sendmail binary to submit outgoing emails. Now that your mail server is using virtual mailboxes, you might want to restrict access to the sendmail binary to trusted local users only, so a malicious user can’t use it to send a large volume of emails to damage your mail server’s reputation. Edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following line to the end of this file, so only the root, www-data and vmail user can submit emails via sendmail. You can also add other usernames.

authorized_submit_users = root,www-data,vmail

Save and close the file. Then restart Postfix.

sudo systemctl restart postfix

Next Step

I hope this tutorial helped you install and use PostfixAdmin on Rocky Linux 9/Alma Linux 9 to create virtual mailboxes. In part 4, I will show you how to set up SPF and DKIM with Postfix to improve email deliverability and in a future tutorial, I’m going to show you how to host multiple domains with PostfixAdmin.

If you want to access emails from a web browser, then I recommend Roundcube, which is a very popular and featured-rich open-source webmail client. As always, if you found this post useful, subscribe to our free newsletter to get more tips and tricks. Take care 🙂